diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 4f91bdd27b11639a561fb54736e0cc29c24d5bfe..9e808cc7a9b1dd521fe7635aca71fff6d5fe9ce4 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -12,7 +12,9 @@ stages:
   - post-qa
   - pages
 
-# always use `gitlab-org` runners
+# always use `gitlab-org` runners, however
+# in cases where jobs require Docker-in-Docker, the job
+# definition must be extended with `.use-docker-in-docker`
 default:
   tags:
     - gitlab-org
@@ -49,6 +51,7 @@ variables:
   BUILD_ASSETS_IMAGE: "false"
   ES_JAVA_OPTS: "-Xms256m -Xmx256m"
   ELASTIC_URL: "http://elastic:changeme@elasticsearch:9200"
+  DOCKER_VERSION: "19.03.0"
 
 include:
   - local: .gitlab/ci/cache-repo.gitlab-ci.yml
diff --git a/.gitlab/ci/frontend.gitlab-ci.yml b/.gitlab/ci/frontend.gitlab-ci.yml
index d1fe9c6241d80619dca2904776c415d04ed54bbe..f465099195be6710d21f5550606ca5f0c9922ef5 100644
--- a/.gitlab/ci/frontend.gitlab-ci.yml
+++ b/.gitlab/ci/frontend.gitlab-ci.yml
@@ -15,10 +15,9 @@
     - .default-retry
     - .default-before_script
     - .assets-compile-cache
+    - .use-docker-in-docker
   image: registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.5-git-2.26-lfs-2.9-chrome-73.0-node-12.x-yarn-1.21-graphicsmagick-1.3.34-docker-19.03.1
   stage: prepare
-  services:
-    - docker:19.03.0-dind
   variables:
     NODE_ENV: "production"
     RAILS_ENV: "production"
@@ -27,8 +26,6 @@
     WEBPACK_REPORT: "true"
     # we override the max_old_space_size to prevent OOM errors
     NODE_OPTIONS: --max_old_space_size=3584
-    DOCKER_DRIVER: overlay2
-    DOCKER_HOST: tcp://docker:2375
   cache:
     key: "assets-compile:production:v1"
   artifacts:
@@ -53,9 +50,6 @@
     - time scripts/build_assets_image
     - scripts/clean-old-cached-assets
     - rm -f /etc/apt/sources.list.d/google*.list  # We don't need to update Chrome here
-  tags:
-    - gitlab-org
-    - docker
 
 gitlab:assets:compile pull-push-cache:
   extends:
diff --git a/.gitlab/ci/global.gitlab-ci.yml b/.gitlab/ci/global.gitlab-ci.yml
index b557624d3452561dba732ba5ecae71c79f5a9e4c..9e566d78e95427c0bdb77c6eacffcbde117c73cb 100644
--- a/.gitlab/ci/global.gitlab-ci.yml
+++ b/.gitlab/ci/global.gitlab-ci.yml
@@ -101,3 +101,15 @@
 .as-if-foss:
   variables:
     FOSS_ONLY: '1'
+
+.use-docker-in-docker:
+  image: docker:${DOCKER_VERSION}
+  services:
+    - docker:${DOCKER_VERSION}-dind
+  variables:
+    DOCKER_DRIVER: overlay2
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ""
+  tags:
+    # See https://gitlab.com/gitlab-com/www-gitlab-com/-/issues/7019 for tag descriptions
+    - gitlab-org-docker
diff --git a/.gitlab/ci/reports.gitlab-ci.yml b/.gitlab/ci/reports.gitlab-ci.yml
index 77ad938a0ef789e4b29b877cbabeb5ed247ca833..b1343afdb5e6ada1ca3ea5db81c9837b7fdf6623 100644
--- a/.gitlab/ci/reports.gitlab-ci.yml
+++ b/.gitlab/ci/reports.gitlab-ci.yml
@@ -11,15 +11,14 @@ code_quality:
   extends:
     - .default-retry
     - .reports:rules:code_quality
+    - .use-docker-in-docker
   stage: test
   needs: []
-  image: docker:stable
   allow_failure: true
-  services:
-    - docker:stable-dind
   variables:
-    DOCKER_DRIVER: overlay2
-    DOCKER_TLS_CERTDIR: ""
+    # emptying DOCKER_HOST so it can be detected properly on kubernetes executor
+    # with the script below
+    DOCKER_HOST: ""
     CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/ci-cd/codequality:0.85.9"
   script:
     - |
@@ -50,6 +49,7 @@ sast:
   extends:
     - .default-retry
     - .reports:rules:sast
+    - .use-docker-in-docker
   stage: test
   allow_failure: true
   needs: []
@@ -59,14 +59,12 @@ sast:
     reports:
       sast: gl-sast-report.json
     expire_in: 1 week  # GitLab-specific
-  image: docker:stable
   variables:
-    DOCKER_DRIVER: overlay2
-    DOCKER_TLS_CERTDIR: ""
+    # emptying DOCKER_HOST so it can be detected properly on kubernetes executor
+    # with the script below
+    DOCKER_HOST: ""
     SAST_BRAKEMAN_LEVEL: 2  # GitLab-specific
     SAST_EXCLUDED_PATHS: qa,spec,doc,ee/spec  # GitLab-specific
-  services:
-    - docker:stable-dind
   script:
     - export SAST_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')}
     - |
@@ -89,16 +87,15 @@ dependency_scanning:
   extends:
     - .default-retry
     - .reports:rules:dependency_scanning
+    - .use-docker-in-docker
   stage: test
   needs: []
-  image: docker:stable
   variables:
-    DOCKER_DRIVER: overlay2
-    DOCKER_TLS_CERTDIR: ""
+    # emptying DOCKER_HOST so it can be detected properly on kubernetes executor
+    # with the script below
+    DOCKER_HOST: ""
     DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports,spec,ee/spec"  # GitLab-specific
   allow_failure: true
-  services:
-    - docker:stable-dind
   script:
     - export DS_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')}
     - |
diff --git a/.gitlab/ci/review.gitlab-ci.yml b/.gitlab/ci/review.gitlab-ci.yml
index 8148b044eb46c446bd9ce5ba6fe243a8a6a0530d..0ca27c52083b1ce340adf20d9eb56773a64f9c45 100644
--- a/.gitlab/ci/review.gitlab-ci.yml
+++ b/.gitlab/ci/review.gitlab-ci.yml
@@ -1,15 +1,9 @@
 .review-docker:
   extends:
     - .default-retry
+    - .use-docker-in-docker
   image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-qa-alpine-ruby-2.6
-  services:
-    - docker:19.03.0-dind
-  tags:
-    - gitlab-org
-    - docker
   variables:
-    DOCKER_DRIVER: overlay2
-    DOCKER_HOST: tcp://docker:2375
     GITLAB_EDITION: "ce"
 
 build-qa-image: